GDPR Deep Dive: What to do About Cookies

15th Feb 2018 – GDPR Deep Dive: What to do About Cookies
If for your software to run—each and every user on your website needed to give consent to A/B testing.
The road to GDPR and ePrivacy compliance is a bumpy one. It requires your data processors to rely on “privacy by design”—and to ask consent if they’re using ANY personal data. That means any personal identifiers. That means  cookies, or IP addresses, or zip codes.
Interestingly PageFair found that only 21% of consumers would opt-in on first-party analytics tracking.
These cookies should not be used to re-target adverts, if they are, they should be placed in category of targeting cookies and advertising cookies according to the ICC UK Cookie guide Second edition November 2012 [PDF].
Warning: Latin words and legal terms.
So, I don’t expect huge fines on May 25th, if your basic cookie wall is still live.
In plain English this means: if GDPR and ePrivacy are at odds, or GDPR lays out a guideline that needs further specification—the rules laid out in ePrivacy, are the ones you need to follow.  
So if your A/B testing software depends on personal data: IP-address, unique identifiers like Device IDs, UserID, TransactionID, CookieID or Pseudonymous data (that’s unrecognizable data + key on different spot to make it readable again) then that is personal data.
Each country may have a slightly different description—but in general, Europe was on board with A/B testing. It helped the performance of the website (if you did not use it for behavioral targeting and personalization. And you didn’t share the information with others, or track across website).

Software Vendors: If You Want to Save Your Business—It’s Time to Redesign Your Apps

All cookies seem to work more or less the same. Tiny web file, stored by a user, tracks activity, etc. etc.
Daniel Felz Associate at Alston & Bird shares an even more depressing view: “ePrivacy Regulation Trilogue Negotiations was Pushed back to Fall 2018; Final ePrivacy Regulation may not be in Place until 2020.” At a conference sponsored by the German Federal Society for Data Protection, a spokeswoman from Germany’s Economic Ministry was reported as stating that trilogue negotiations will not begin until the fall of 2018.  
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
Now GDPR applies to everyone that touches EU data—worldwide. And personal data is defined to include all sorts of new identifiers.
Although the new law (ePrivacy Regulations) is different, the old/current law ePrivacy Directive helps us understand where A/B testing software stood when cookies could be placed without user consent. We could do our work as normal, as long as we gave clear information to the end user.
But some are more “private” than others.
Right now we just have a draft (names 1533) of the ePrivacy Regulations in debate. It still needs to see feedback from member EU delegates—so it doesn’t mirror exactly what will soon become law.
GDPR Recital 30 states:

Pre-GDPR A/B testing with ePrivacy Directive and the localized versions in Europe

Most likely yes, you would need consent if your A/B testing software depends on IP-address, unique identifiers like Device IDs, UserID, TransactionID, CookieID or Pseudonymous data (meaning:  unrecognizable data + a key stored elsewhere, to make it readable again). These, under GDPR, are unique identifiers, and require explicit opt-ins.  
Cookies in the “performance segment” only collect information about website usage for the benefit of the website operator. They rely on aggregate data. They don’t directly “identify a visitor.” Consent for use of these types of cookies may be obtained, for instance, in the terms and conditions of the site—or when the user changes the the site settings.
And to do that, I expect, we’ll have to cancel 20% of the 72 software tools we use.
The old ePrivacy Directive gave you the obligation to put a “cookie wall” notice in place, and only focused on European companies.
The GDPR is clear: no personal data without consent. And if you’re waiting for ePrivacy to swoop in with a loophole—you may be looking at a longggg wait.
How would you explain that clearly? Persuasively?
So will you need consent for you A/B testing tool?

Post-GDPR do we need consent for A/B testing?

This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
At Convert, we wanted to make sure no personal data would be stored in our systems, and that no person would be identified with use of cookie. It was the only way to keep the balance of business growth, strategic knowledge, and personal privacy of website visitors.
The correct method to use here will depend on the nature of the website, and the precise function of the cookies involved. But in most cases, we can obtain consent with the words: “By using our [website][online service], you agree to the use of these types of cookies on your device.”
The law currently in place, the ePrivacy Directive (which is soon to be replaced with new ePrivacy Regulations) helps us understand understand what sort of cookies A/B testing software relies on. They’re performance cookies:

So when do you need to start with explicit consent? When does ePrivacy Directive switch to ePrivacy Regulations?

This would mean ⅕ of current traffic would accept analytics if it would fall within the consent parameters.
We really want to share a clear message with our web visitors: we care about your privacy.
So let’s get started now.
But it’s clear that finally, the laws are changing. And they’re going to keep changing—as we move into a world where data is worth more, and data subjects demand more.
Privacy authorities are going to have a heck of a time implementing GDPR. And the new ePrivacy laws might not be put in motion to 2019, or even 2020.
But the old ePrivacy directive says something else. It says “for this type of data, you just need a notice, and an opportunity to opt-out.”
Because, did you ever wonder what would happen when you need ask explicit consent for you A/B testing tool?
Less optimistically, he’s also suggested that ePrivacy Regulation “will likely require additional compliance.” And, Alex Propes (Director of the Interactive Advertising Bureau (IAB) of Public Policy) has said “that organizations can only target GDPR at the moment.”
An “optimistic” forecast: Future of Privacy Forum Policy Counsel, Gabriela Zanfir-Fortuna, says that he expects an ePrivacy approval date towards the end of 2018. As to the implementation date, we really have no idea.

So that was a lot of law you threw at me. What does it mean for my business?

So welcome to a legal vacuum.
And the answer is: do you want to risk it?
Testing variations of design, typically using A/B or multivariate testing, to ensure a consistent look and feel is maintained for the user of the site in the current and subsequent sessions. If they fit this description they are performance cookies.

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
In the meantime, obviously, the current ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002) remains in place, which is a matter of national legislation.
It remains key to include online data and identifiers, such as cookies and many others, in your GDPR strategy. Regardless of where, and how, the text will be adapted by future delegate discussions.
And now, more than ever, that’s going to make a difference for your marketing stack.
The EU gave us clear guidelines on how cookies should be handled in GDPR —even without the new ePrivacy Regulations in place.
The ePrivacy Regulation is the ‘principe lex specialis derogat legi generali’ or in short ‘lex specialis’ to the GDPR.
JUST because of lack of clarity on privacy. Or the lack of GDPR adjusted features. Or the lack of willingness to manage data of our customers, prospects, and other relations, transparently.  
Apparently, EU Member States are still discussing a number of open questions regarding ePrivacy Regulation issues.
The big question is: will you get fined within that gray area?
So they don’t want any unique identifiers. Not even in cookies—and surely not personal data.
And how many of your users do you think would give the okay?